Investigative reporting from Etilaat Rooz under ddos


December 28, 2019

The 18th and 24th of December 2019, the website of the Afghani Daily Newspaper Etilaat Roz (etilaatroz.com) received two denial of service attacks. Etilaat Roz was created in 2012 in Afghanistan, as new media platform funded by a group of young people working towards a better Afghanistan. Etilaat Roz is known to deliver investigative reports about corruption in the country.

Two days before the cyberattacks started, the Etilaat Roz Daily published two investigative reports:

Cisco Anyconnect VPN to hide

Floodings against Etilaatroz

An analysis of the traffic reveals that the attacker selected the URL to target (index.php) before the attack using two VPN services: PureVPN and Cisco Anyconnnect. The attacker changed IP address frequently, all the IPs belong to Cisco VPN service.


23.237.86{.}133 US
109.202.106{.}85 NL
89.187.177{.}111 US
89.187.177{.}112 US
89.187.177{.}81 US
89.187.177{.}66 US

The attacker used the Cisco US and NL Cluster “cisadd2.com” hosted

Description: C78-527494-09_figure01

PureVPN and Voxility fake the location of their VPN service

During the review of the traffic of the attacker, we found also one interesting IP belonging to PureVPN service: 172.111.208{.}68

The IP according to the whois database is allocated to Afghanistan.

etName: INTERNET-SECURITY-15-VOXILITY-AF
NetHandle: NET-172-111-208-0-1
Parent: INTERNET-SECURITY-15 (NET-172-111-128-0-1)
NetType: Reassigned
OriginAS: AS3223
Organization: VOXILITY-AF (VOXIL-11)
RegDate: 2017-07-19
Updated: 2017-07-19
Ref: https://rdap.arin.net/registry/ip/172.111.208.0

OrgName: VOXILITY-AF
OrgId: VOXIL-11
Address: Shashdarak 2nd
Address: 1002 Kabul
Address: Kabul, Afghanistan
City: Kabul

The IP range is registered in the whois database to the address Shashdarak 2nd in 1002 Kabul that matches the address of the ACG Data Center in Kabul.

However, after a few routing tests, we determined that the IP range was in fact located in Los Angeles, connected to the Equinix Internet Exchange inside of Voxility infrastructure.

Since 2015, PureVPN announces that they have a VPN a service in Afghanistan when in fact the service is located in the US. Two IPs are advertised as being in Afghanistan.

vlus-af-ovpn-tcp.pointtoserver.com 172.111.208{.}2
vlus-af.pointtoserver.com 206.123.150{.}62

The first one is 172.111.208{.}2 is in Los Angles and the second 206.123.150{.}62 is located in Chicago

Their fake information is so obvious that they even confuse Afghanistan with Mongolia in their website.

Conclusions

After reviewing the forensics information of the attacks against Etilaat Roz, we confirmed the following:

  • The attacks were targeted and connected to the release of their recent investigatory reports.
  • The attacker used two VPN services to hide its location: Cisco Anyconnect and PureVPN
  • PureVPN and Voxility provide fake information about the location of their VPN service in Afghanistan.